Who would have guessed that Healthcare.gov wouldn’t turn out to be the biggest tech disaster of the Obama presidency?
Honestly, I’m kind of curious to see how how much lower the bar can go. ‘Fess up, White House: He forgot his password for the nuclear launch codes, didn’t he?
The OPM had no IT security staff until 2013, and it showed. The agency was harshly criticized for its lax security in an inspector general’s report released last November that cited its lack of encryption and the agency’s failure to track its equipment. Investigators found that the OPM failed to maintain an inventory list of all of its servers and databases and didn’t even know all the systems that were connected to its networks. The agency also failed to use multi-factor authentication for workers accessing the systems remotely from home or on the road.
The millions of victims of the OPM breach are already expressing their anger over the massive data spill. J. David Cox, the president of the union of federal government employees, has written a strongly worded letter to OPM director Katherine Archuleta lambasting the security mismanagement that led to the breach and the agency’s response to it. “I understand that OPM is embarrassed by this breach,” Cox writes. “It represents an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce.”
Cox’s letter points to what appears to be a lack of encryption protecting the breached personal data, “a cybersecurity failure that is absolutely indefensible and outrageous.”
OPM is the federal government’s Human Resources Department, the repository for virtually all personal information shared by employees for background checks and security clearances. To a foreign government eager to find blackmail material on U.S. workers in sensitive positions, it’s the Fort Knox of intelligence. Essentially, the feds neglected to post a guard to the vault until two years ago.
But that’s not the worst part. The worst part is that China was apparently in the system for more than a year after OPM began hiring IT security. In fact, if you believe the Journal’s sources, it wasn’t in-house techies who sniffed out the Chinese intrusion. It was — ta da — a company in the private sector:
At the time, OPM said the breach was discovered as the agency “has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.”
But four people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.
What can a foreign government do with incredibly detailed personnel records, which includes brushes with the law and in some cases sexual peccadilloes? Lots of things, per John Schindler. Blackmail is the obvious one; another obvious one is sniffing out people in their own country who might be spying for the U.S. government and in contact with American officials. Less obvious but of concern to Schindler is simple identity theft. If China needs to neutralize an American agent, it’s now a simple matter of using his Social Security number and other identifying info to hack into his bank accounts, plant some suspicious-looking funds there or rack up a bunch of bad debts, and then wait for the FBI to sniff him out and revoke his security clearances. All of this was perfectly foreseeable given the obvious value of the OPM records to foreign spies and China’s relentless, years-long cyberespionage campaign against U.S. targets. And still: No guard posted at the vault until 2013.
Exit quotation via Cuffy Meigs:
This #OPMhack clearly demonstrates that America needs a president who will set up an insecure email server in her mud room.
— Cuffy (@CuffyMeh) June 12, 2015
Update: I want to say “unbelievable,” but that’s not quite accurate, is it?
China has basically everything now.
Hackers linked to China appear to have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances, several U.S. officials said Friday, describing a second cyberbreach of federal records that could dramatically compound the potential damage…
Nearly all of the millions of security clearance holders, including CIA, National Security Agency and military special operations personnel, are potentially exposed in the security clearance breach, the officials said. More than 2.9 million people had been investigated for a security clearance as of October 2014, according to government records.
In the hack of standard personnel records announced last week, two people briefed on the investigation disclosed Friday that as many as 14 million current and former civilian U.S. government employees have had their information exposed to hackers, a far higher figure than the 4 million the Obama administration initially disclosed.
Among the federal employees whose records are stored at OPM are some, although apparently not all, agents of the CIA. Said a U.S. official to WaPo, “That’s the open question–whether it’s going to hit CIA folks. It would be a huge deal. They could start unmasking identities.”
How do you punish China for this? Recall our ambassador? Sanctions? Cyberwar? Also, what if the NSA’s already lifted most of the Chinese government’s own personnel records? The White House might not want to make too much of a stink knowing that China may have already detected the intrusion on their own system and could reveal it — but then, an authoritarian government would be less likely to acknowledge its vulnerability than ours would. Obama could get away with punishing them somehow even if we’re as guilty as they are.